By hzhwang on July 1, 2007 Pm | permalink | comments (0) | trackbacks, almost all the strange things happened to me. The last thought is that the mail-archive of openca is really good. The following server guard does not necessarily work as you do, but I will explain some issues that may be more problematic in the security process (the most important part in the security process is that it will not give you any warning or warning messages., wait until you start running.) Security Environment: ububtu does not know the deployment board. Can I use apt-get to generate additional data, therefore, this security record should be accessible only on FreeBSD: OpenSSL: this does not need to be able to trigger Apache: i'm from the 1.3.x series, and I want to configure the module myself. I will write some other articles about the settings. DBMS: berkerydb can be used if there is no pain in security. This part should have the least problems. The second is mysql. The problem should not be too big. The last one is PostgreSQL, if you already use MySQL, switching to PostgreSQL is a bit painful, and the usage is a little different from the concept. Oracle... in the near future, I should take a look at this challenge. In this tutorial, I used PostgreSQL 8.2.4. In the last tutorial, I want to introduce openca to ca, Ra, ca-node, ra-node can only work without the concept of security (whether it is set by the user or by the user ), set these items in your own documents. 1. Install PostgreSQL. You can test the settings of the previous tutorial. 2. Set PostgreSQL and set the settings of the official tutorial. The operations are as follows:
su - postgrespsql -d template1psql> create user openca with password 'openca' createdb nocreateuser;psql> \qpsql -d template1 -U opencapsql> create database openca;psql> \q
In this way, we created an openca resource, and a user called openca, password Authentication is the same as that of openca (if PostgreSQL is not associated with openca, you need to set the source region to the source. for OpenSSL, ldap library, Perl module, Apache + mod_ssl, please refer to the major slides. However, some slides may be skipped in openca security .. if you are a Ubuntu user and have sent messages in the security mod_ssl-2.8.22-1.3.33, please refer
Rm-F/bin/sh ln-S/bin/bash/bin/sh
The reason is unknown, but it works is the most troublesome openca in security. I bought 0.9.3-RC1, And I optimized the number of secondary nodes, this group should be better than others. Please refer to Ra first :. /configure -- prefix =/usr/local/openra -- With-OpenSSL-Prefix =/usr/local/SSL -- With-module-Prefix =/usr/local/openra/modules -- with-node-Prefix = Ra-node \ -- With-web-host = localhost -- With-httpd-user = nobody -- With-httpd-goup = nobody -- With-httpd-FS -Prefix =/usr/local/openra/httpd -- With-engine = NO \ -- enable-DBI -- With-engine = no -- Enable-RBAC -- With-Hierarchy-level = Ra -- enable-ocspd -- With-db-type = PG -- With-db-user = openca -- With-db-name = openca \ -- With-db-host = localhost -- With-db-Port = 5432 -- With-db-passwd = openca /Under openra, the row uses nobody/Nobody (please check if your passwd has this person) and uses PostgreSQL (PG ), there are several parts that I can use to mark, and this part needs to be modified. Zookeeper and security: Make; make install-online; make clean) next, under the/usr/local/openra/openca object, modify the permission of the VaR object and the ETC/servers: chmod-r 777 var CD etc/servers chmod-r 644 * Finally, return to the etc directory and modify the config. XML. Before modification, set config. XML copy, otherwise it will be very troublesome to change. This part is still troublesome to take a look at the slides. There are some parts that must be modified: ca_organization-> Ca ca_locality-> KH ca_country-> TW. Let's take a look at the locations set by the resource. Please confirm again, if you have used it. /configure_etc does not seem to be useful for any change. Pay special attention to the location db_namespace. I'm not sure whether 0.9.3-RC1 is useful for setting the parameter. But if you see something in its value, please cancel it, it is for Oracle. If you forget to change it, there may be no way to perform database initalization in the end. Search for the [Exchange] keyword next. It should be in the dataexchange configuration section. Use the 0. Part. <! --> Unlock (please do not mix it here --! % Gt; when I saw mail-list for more than one hour, I found that I broke the integrity of the XML file, and the security program does not prompt any login messages ...), then set 2. partially canceled when the related Ra is comment. Next, find the [device] parameter. this parameter is the parameter of dataexchage. The parameter value indicates that/dev/fd0 is a portable drive, however, in this era, few people should use it. In actual cases, the Ca and the RA host should be split, the portable data can be directed to the USB flash drive. Someone had previously climbed to the PC and opened the NIC directly (two computers + one cross-over network ), in this example, I will list the last token I have obtained. Pay attention to the path details, otherwise, it will be difficult for Ca-node to allocate things to Ra-node.
RA: config. xml: node acts as an RA onlydataexchange_device_up: replace/dev/fd0 to/usr/local/Openca/OPenca/Var/tmp/ca-downdataexchange_device_down: replace/dev/fd0 changed to/usr/local/openra/Openca/Var/tmp/ra-downdataexchange_device_local: replace/dev/fd0 changed to/usr/local/openra/Openca/Var/tmp/ra-Local
If your Config. if the XML format is correct, it should be used out. If there is a problem with the structure, utf8_latin1_selector.sh cannot be found. (the last day of the day is config. XML problems ...) if all are OK, You can activate Ra first. /openca_rc start comes back to the ca. The security change data settings are similar to Ra, but some places are not the same. Be careful not to confuse them :. /configure -- prefix =/usr/local/openca -- With-OpenSSL-Prefix =/usr/local/SSL -- With-module-Prefix =/usr/local/openca/modules -- with-node-Prefix = Ca-node -- With-web-host = localhost -- With-httpd-user = nobody -- With-H Ttpd-goup = nobody -- With-httpd-FS-Prefix =/usr/local/openca/httpd -- enable-ocspd -- With-engine = No -- enable-DBI -- With-engine = No -- enable-RBAC -- With-Hierarchy-level = Ca -- With-db-type = PG -- With-db-user = openca -- With-db-name = openca \-- with-db-host = localhost -- With-db-Port = 5432 -- With-db-passwd = openca and then make; make install-Offline; make clean CA will be installed under/usr/local/openca. Next, config. the actions before setting the XML file are the same as those of the security RA file. The last step is to set the config file. in XML, find the dataexchage section, and set the value 0. partial comment, and then 1. to remove the signature of the CA part. The last part is the dataexchage setting. The following figure shows the latest data used:
Dataexchange_device_up: replace/dev/fd0 to/usr/local/Openca/Openca/Var/tmp/ca-updataexchange_device_down: replace/dev/fd0 changed to/usr/local/Openca/Openca/Var/tmp/ca-downdataexchange_device_local: replace/dev/fd0 changed to/usr/local/openra/Openca/Var/tmp/ra-Local
After all, please click configure_etc.sh. If you are OK, You can activate the ca. In fact, the remaining questions are less than the remaining questions, the main reason is that the parts related to Apache configuration and alias are not correctly set httpd. the configuration of the related operators in conf should be as follows:
# Openca alias/CA/usr/local/openca/httpd/htdocs/CA/alias/Ca-node/usr/local/openca/httpd/htdocs/Ca-node/ScriptAlias/ cgi-bin/ca // usr/local/openca/httpd/cgi-bin/CA/ScriptAlias/cgi-bin/Ca-node // usr/local/openca/httpd/ cgi-bin/Ca-node/# openra alias/RA/usr/local/openra/httpd/htdocs/RA/alias/ra-node/usr/local/openra/httpd/ htdocs/ra-node/alias/pub/usr/local/openra/httpd/htdocs/pub/alias/ldap/usr/local/openra/httpd/htdocs/ldap/ScriptAlias/ cgi-bin/RA // usr/local/openra/httpd/cgi-bin/RA/ScriptAlias/cgi-bin/ra-node // usr/local/openra/httpd/ cgi-bin/ra-node/ScriptAlias/cgi-bin/pub // usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias/cgi-bin/ldap // usr/local/openra/httpd/cgi-bin/ldap/
Ssloptions + stdenvvars AllowOverride none options execcgi order allow, deny allow from all </directory> <directory> ssloptions + stdenvvars AllowOverride none options execcgi order allow, deny allow from all </directory> <directory> ssloptions + stdenvvars AllowOverride none options followsymlinks indexes order allow, deny allow from all </directory> <directory> ssloptions + stdenvvars AllowOverride none options followsymlinks indexes order allow, deny allow from all </directory> & ly; directory> ssloptions + stdenvvars AllowOverride none options followsymlinks indexes order allow, deny allow from all </directory>
Please be patient and try again. Another part is not mentioned in the slides. If you get to the end of openca_rc, enter the web management interface and jump out of the information about the type of password that is too short. Add an ssloptions + stdenvvars parameter to each CGI category. For example:
<Directory> ssloptions + stdenvvars AllowOverride none options execcgi order allow, deny allow from all </directory>
In the LDAP part, we only need to bring the service up. Please refer to the related file security when OpenLDAP is used to activate OpenLDAP.
Su root-C/usr/local/libexec/slapd
Run Apache again. You can configure zookeeper to http: // localhost/Ca (Ca, ca-node, Ra, ra-node, pub to see if there is any problem). If you can perform the operation normally, please test the slides for initialization. For reference or reference, please send us a letter. If you wish to inform us, please also indicate that the original author is hzhwang, and I will refer to some of the articles in this article.